Merge branch 'release-4.0'

7 files changed, 101 insertions, 49 deletions

diff --git a/api4/context.go b/api4/context.go
index 06eee6715..61c318266 100644
--- a/api4/context.go
+++ b/api4/context.go
@@ -355,7 +355,7 @@ func (c *Context) RequireInviteId() *Context {
 		return c
 	}
 
-	if len(c.Params.InviteId) != 26 {
+	if len(c.Params.InviteId) == 0 {
 		c.SetInvalidUrlParam("invite_id")
 	}
 	return c
diff --git a/api4/file.go b/api4/file.go
index a395fff65..4b39a1812 100644
--- a/api4/file.go
+++ b/api4/file.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 
 	l4g "github.com/alecthomas/log4go"
 	"github.com/mattermost/platform/app"
@@ -18,6 +19,27 @@ const (
 	FILE_TEAM_ID = "noteam"
 )
 
+var UNSAFE_CONTENT_TYPES = [...]string{
+	"application/javascript",
+	"application/ecmascript",
+	"text/javascript",
+	"text/ecmascript",
+	"application/x-javascript",
+	"text/html",
+}
+
+var MEDIA_CONTENT_TYPES = [...]string{
+	"image/jpeg",
+	"image/png",
+	"image/bmp",
+	"image/gif",
+	"video/avi",
+	"video/mpeg",
+	"video/mp4",
+	"audio/mpeg",
+	"audio/wav",
+}
+
 func InitFile() {
 	l4g.Debug(utils.T("api.file.init.debug"))
 
@@ -82,9 +104,9 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download"))
-	if failConv != nil {
-		toDownload = false
+	forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download"))
+	if convErr != nil {
+		forceDownload = false
 	}
 
 	info, err := app.GetFileInfo(c.Params.FileId)
@@ -105,22 +127,7 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	contentTypeToCheck := []string{"image/jpeg", "image/png", "image/bmp", "image/gif",
-		"video/avi", "video/mpeg", "audio/mpeg3", "audio/wav"}
-
-	contentType := http.DetectContentType(data)
-	foundContentType := false
-	for _, contentTypeFromList := range contentTypeToCheck {
-		if contentType == contentTypeFromList && toDownload == false {
-			foundContentType = true
-			break
-		}
-	}
-	if !foundContentType {
-		toDownload = true
-	}
-
-	err = writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r)
+	err = writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r)
 	if err != nil {
 		c.Err = err
 		return
@@ -133,9 +140,9 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download"))
-	if failConv != nil {
-		toDownload = false
+	forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download"))
+	if convErr != nil {
+		forceDownload = false
 	}
 
 	info, err := app.GetFileInfo(c.Params.FileId)
@@ -158,7 +165,7 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) {
 	if data, err := app.ReadFile(info.ThumbnailPath); err != nil {
 		c.Err = err
 		c.Err.StatusCode = http.StatusNotFound
-	} else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil {
+	} else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil {
 		c.Err = err
 		return
 	}
@@ -205,9 +212,9 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download"))
-	if failConv != nil {
-		toDownload = false
+	forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download"))
+	if convErr != nil {
+		forceDownload = false
 	}
 
 	info, err := app.GetFileInfo(c.Params.FileId)
@@ -230,7 +237,7 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) {
 	if data, err := app.ReadFile(info.PreviewPath); err != nil {
 		c.Err = err
 		c.Err.StatusCode = http.StatusNotFound
-	} else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil {
+	} else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil {
 		c.Err = err
 		return
 	}
@@ -298,14 +305,38 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func writeFileResponse(filename string, contentType string, bytes []byte, toDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError {
+func writeFileResponse(filename string, contentType string, bytes []byte, forceDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError {
 	w.Header().Set("Cache-Control", "max-age=2592000, private")
 	w.Header().Set("Content-Length", strconv.Itoa(len(bytes)))
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 
-	if contentType != "" {
-		w.Header().Set("Content-Type", contentType)
+	if contentType == "" {
+		contentType = "application/octet-stream"
 	} else {
-		w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer
+		for _, unsafeContentType := range UNSAFE_CONTENT_TYPES {
+			if strings.HasPrefix(contentType, unsafeContentType) {
+				contentType = "text/plain"
+				break
+			}
+		}
+	}
+
+	w.Header().Set("Content-Type", contentType)
+
+	var toDownload bool
+	if forceDownload {
+		toDownload = true
+	} else {
+		isMediaType := false
+
+		for _, mediaContentType := range MEDIA_CONTENT_TYPES {
+			if strings.HasPrefix(contentType, mediaContentType) {
+				isMediaType = true
+				break
+			}
+		}
+
+		toDownload = !isMediaType
 	}
 
 	if toDownload {
diff --git a/api4/oauth.go b/api4/oauth.go
index 402651b92..05a38d206 100644
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -392,7 +392,9 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	code := r.URL.Query().Get("code")
 	if len(code) == 0 {
-		c.Err = model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest)
+		err := model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest)
+		err.Translate(c.T)
+		http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect)
 		return
 	}
 
@@ -400,15 +402,19 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete"
 
-	body, teamId, props, err := app.AuthorizeOAuthUser(service, code, state, uri)
+	body, teamId, props, err := app.AuthorizeOAuthUser(w, r, service, code, state, uri)
 	if err != nil {
-		c.Err = err
+		err.Translate(c.T)
+		l4g.Error(err.Error())
+		http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect)
 		return
 	}
 
 	user, err := app.CompleteOAuth(service, body, teamId, props)
 	if err != nil {
-		c.Err = err
+		err.Translate(c.T)
+		l4g.Error(err.Error())
+		http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect)
 		return
 	}
 
@@ -455,7 +461,7 @@ func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil {
+	if authUrl, err := app.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil {
 		c.Err = err
 		return
 	} else {
@@ -475,7 +481,7 @@ func mobileLoginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil {
+	if authUrl, err := app.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil {
 		c.Err = err
 		return
 	} else {
@@ -500,7 +506,7 @@ func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if authUrl, err := app.GetOAuthSignupEndpoint(c.Params.Service, teamId); err != nil {
+	if authUrl, err := app.GetOAuthSignupEndpoint(w, r, c.Params.Service, teamId); err != nil {
 		c.Err = err
 		return
 	} else {
diff --git a/api4/post.go b/api4/post.go
index 3d1077358..3d0c681d1 100644
--- a/api4/post.go
+++ b/api4/post.go
@@ -55,6 +55,8 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	app.SetStatusOnline(c.Session.UserId, c.Session.Id, false)
+
 	w.WriteHeader(http.StatusCreated)
 	w.Write([]byte(rp.ToJson()))
 }
@@ -139,8 +141,8 @@ func getFlaggedPostsForUser(c *Context, w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	channelId := r.URL.Query().Get("in_channel")
-	teamId := r.URL.Query().Get("in_team")
+	channelId := r.URL.Query().Get("channel_id")
+	teamId := r.URL.Query().Get("team_id")
 
 	var posts *model.PostList
 	var err *model.AppError
diff --git a/api4/team.go b/api4/team.go
index 1cbd89481..98a672d93 100644
--- a/api4/team.go
+++ b/api4/team.go
@@ -5,7 +5,7 @@ package api4
 
 import (
 	"bytes"
-	"io"
+	"encoding/base64"
 	"net/http"
 	"strconv"
 
@@ -657,12 +657,12 @@ func importTeam(c *Context, w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	w.Header().Set("Content-Disposition", "attachment; filename=MattermostImportLog.txt")
-	w.Header().Set("Content-Type", "application/octet-stream")
+	data := map[string]string{}
+	data["results"] = base64.StdEncoding.EncodeToString([]byte(log.Bytes()))
 	if c.Err != nil {
 		w.WriteHeader(c.Err.StatusCode)
 	}
-	io.Copy(w, bytes.NewReader(log.Bytes()))
+	w.Write([]byte(model.MapToJson(data)))
 }
 
 func inviteUsersToTeam(c *Context, w http.ResponseWriter, r *http.Request) {
diff --git a/api4/team_test.go b/api4/team_test.go
index b517f67fe..421428afa 100644
--- a/api4/team_test.go
+++ b/api4/team_test.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"testing"
 
+	"encoding/base64"
 	"github.com/mattermost/platform/app"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/utils"
@@ -1345,7 +1346,12 @@ func TestImportTeam(t *testing.T) {
 		fileResp, resp := th.SystemAdminClient.ImportTeam(data, binary.Size(data), "slack", "Fake_Team_Import.zip", th.BasicTeam.Id)
 		CheckNoError(t, resp)
 
-		fileReturned := fmt.Sprintf("%s", fileResp)
+		fileData, err := base64.StdEncoding.DecodeString(fileResp["results"])
+		if err != nil {
+			t.Fatal("failed to decode base64 results data")
+		}
+
+		fileReturned := fmt.Sprintf("%s", fileData)
 		if !strings.Contains(fileReturned, "darth.vader@stardeath.com") {
 			t.Log(fileReturned)
 			t.Fatal("failed to report the user was imported")
@@ -1469,7 +1475,7 @@ func TestInviteUsersToTeam(t *testing.T) {
 }
 
 func TestGetTeamInviteInfo(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	defer TearDown()
 	Client := th.Client
 	team := th.BasicTeam
@@ -1485,6 +1491,13 @@ func TestGetTeamInviteInfo(t *testing.T) {
 		t.Fatal("should be empty")
 	}
 
+	team.InviteId = "12345678901234567890123456789012"
+	team, resp = th.SystemAdminClient.UpdateTeam(team)
+	CheckNoError(t, resp)
+
+	team, resp = Client.GetTeamInviteInfo(team.InviteId)
+	CheckNoError(t, resp)
+
 	_, resp = Client.GetTeamInviteInfo("junk")
-	CheckBadRequestStatus(t, resp)
+	CheckNotFoundStatus(t, resp)
 }
diff --git a/api4/user.go b/api4/user.go
index 04faf13c4..f13c33f0b 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -1056,7 +1056,7 @@ func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) {
 	var err *model.AppError
 
 	if switchRequest.EmailToOAuth() {
-		link, err = app.SwitchEmailToOAuth(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService)
+		link, err = app.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService)
 	} else if switchRequest.OAuthToEmail() {
 		c.SessionRequired()
 		if c.Err != nil {